On 21 January 2019 the data protection regulator in France (Commission Nationale de l’Informatique et des libertés, known as the “CNIL”) imposed the first large GDPR fine: a record breaking 50 million euros (approximately £44 million) against Google LLC. This caused headlines not only because of its size, but also because of the breaches in the spotlight.

The actions arose out of complaints initiated by privacy interest groups “None Of Your Business” and “La Quadrature du Net”.

Articles 12 and 13 transparency and information obligations

The CNIL found that Google had not been transparent with Android users about how it collected and used personal data. Its fair processing notice was not accessible, it displayed information spread across many applications and webpages, it did not contain all required elements, and the general form and structure was non-compliant. This meant that users could not understand how personal data would be processed by Google or what the consequences of processing might be.

The CNIL drew particular attention to the number of Google services collecting personal data on the Android system (approximately 20 including phone, Gmail, YouTube, Google Maps, and Google Analytics cookies on third-party websites) and to the vagueness of the information Google gave regarding how data would be used, citing generic purposes such as to “ensure the safety of products and services”.

Article 6 – lawfulness of processing

Google relied on consent as its legal basis for processing personal data for ad personalisation. It told Android users that “Google can show you ads based on your activity in Google services (for example, Google search or YouTube, as well as on Google's websites and partner applications)”. However it was not possible for users to see which applications, sites, and services were involved. When creating an account the ad personalisation options were pre-ticked and the user was required to tick the boxes: ”I agree to Google’s Terms of Service” and "I agree to the processing of my information as described above and further explained in the Privacy Policy". This meant that the user provided his or her blanket consent for all of the processing purposes that relied on consent (including for speech recognition) and the user could not choose whether to give or withhold consent for a particular purpose.

Therefore the CNIL found that consent had not been properly obtained because it did not meet the GDPR standard of being “specific” and “unambiguous”. Additionally in view of the fact that Google was in violation of its transparency requirements, the CNIL also found that consent was not “informed”.

The One Stop Shop

The GDPR introduced the concept of the “one stop shop”; a mechanism to allow a single supervisory authority to act as the lead authority on behalf of other EU supervisory authorities and issue fines. Google argued that its European headquarters were in Ireland and therefore the Irish Data Protection Commissioner (rather than the CNIL) should have handled this complaint. However, the CNIL found that Google did not have a main establishment in the EU; its key decision making and processing activities under investigation were not made by the Irish entity. This meant that the “one stop shop” was not engaged and the CNIL, along with any other supervisory authority, could make a decision in respect of Google’s activities. the ICO is said to be considering its possible next steps.

Google has confirmed that it will appeal the CNIL's decision.

What can we learn from the Google fine?

This fine demonstrates that supervisory authorities are not afraid of flexing their enforcement and fining powers.

It is also indicative of a new enforcement trend across which is no longer focussed just on security and data breaches, but instead looks at the lawful use of personal data. We expect that a new wave of enforcement activity focussed on transparency and consent infringements will follow the Google fine. We recommend that all organisations review their fair processing notices (including delivery mechanisms) and consent wordings to ensure that meet the high standards set by the GDPR.

The CNIL fine press release and notice against Google (in French) can be accessed here.